3 resolutions you can make for better security in 2012

By William Jackson

Dec 23, 2011

I’m not a big fan of New Year’s resolutions. I find I am no more likely to change my behavior for the better Jan. 1 than I am May 23. But in the spirit of the season, here is some advice that could be helpful any time of the year.

Money is tight and security can be expensive, but if 2011 has taught us anything it is that not having adequate security can be even more expensive. The costs of cleaning up after a breach, the lost productivity and the negative publicity all take a toll.

Fortunately there are some things you can do in 2012 to improve your security that don’t have to cost a lot of money.

I hate it when someone says I have to take responsibility for security, but the fact is that the end user is the first and last line of defense.

One trend in high profile breaches over the past year has been the use of social engineering to introduce malware into a system. Essentially, this means that at some point a user made a bad decision about what file to open, what link to click on, what site to visit.

We need to remember that spam filters, phishing philters and even antivirus software programs are not really security, but labor-saving tools. They help to reduce the volume of dangerous, questionable or just plain worthless stuff that comes into our systems, but we cannot assume that what does come through is safe.

Take a minute to scrutinize all e-mail and other communications, resist idle curiosity and refuse to be titillated. Reducing your online communications to legitimate business can be boring, but it is better than getting taken for a ride.

2. Extend your cyber hygiene to personal devices.

Most of us know that we should treat the personal desktop or laptop we use for work as an extension of the enterprise, and most organizations have policies about this. But the same applies to every handheld or mobile device that we use to keep in touch while away from home and out of the office.

This should go without saying, but the increasing ease with which these devices can move between personal and business use makes it easy to forget. Organizations are putting policies and procedures in place to address this, but the end user can take it upon himself to practice good hygiene whatever device is being used.

3. Avoid the disgruntled employee.

IT systems exist so that people can use them to access, manipulate and move information, and this means that at some point the end user has to be trusted. This is the point where security tends to break down and organizations are most vulnerable. Defending against a malicious insider is difficult.

One solution is to keep employees happy. Let them understand that their interests and those of the organization are the same. This does not require high technology or a big budget. Studies have repeatedly shown that employee satisfaction is more about attitude than money.

As Ebenezer Scrooge said of his old employer, Fezziwig, in A Christmas Carol: “He has the power to render us happy or unhappy; to make our service light or burdensome; a pleasure or a toil. Say that his power lies in words and looks; in things so slight and insignificant that it is impossible to add and count ’em up: what then? The happiness he gives is quite as great as if it cost a fortune.”